Merge pull request #129 from navikt/dev/VaultUtil

Tatt i bruk VaultUtil fra emottak-utils

Author: terjenilssen

cpa-repo/src/main/kotlin/no/nav/emottak/cpa/persistence/DBConfiguration.kt

@@ -5,8 +5,8 @@ import com.zaxxer.hikari.HikariConfig
 import no.nav.emottak.cpa.log
 import no.nav.emottak.utils.environment.fromEnv
 import no.nav.emottak.utils.environment.getEnvVar
+import no.nav.emottak.utils.vault.VaultUtil
 import no.nav.vault.jdbc.hikaricp.HikariCPVaultUtil
-import no.nav.vault.jdbc.hikaricp.VaultUtil
 
 const val CPA_DB_NAME = "emottak-cpa-repo-db"
 
@@ -55,10 +55,9 @@ fun VaultConfig.configure(role: String): HikariConfig {
         this.maximumPoolSize = maxPoolSizeForUser
         if (role == "admin") {
             this.maximumPoolSize = maxPoolSizeForAdmin
-            val vault = VaultUtil.getInstance().client
             val path: String = this@configure.vaultMountPath + "/creds/$databaseName-$role"
             log.info("Fetching database credentials for role admin")
-            val response: LogicalResponse = vault.logical().read(path)
+            val response: LogicalResponse = VaultUtil.getClient().logical().read(path)
             this.username = response.data["username"]
             this.password = response.data["password"]
         }

ebms-async/src/main/kotlin/no/nav/emottak/ebms/async/persistence/DatabaseConfig.kt

@@ -4,8 +4,8 @@ import com.bettercloud.vault.response.LogicalResponse
 import com.zaxxer.hikari.HikariConfig
 import no.nav.emottak.ebms.async.log
 import no.nav.emottak.utils.environment.getEnvVar
+import no.nav.emottak.utils.vault.VaultUtil
 import no.nav.vault.jdbc.hikaricp.HikariCPVaultUtil
-import no.nav.vault.jdbc.hikaricp.VaultUtil
 
 const val EBMS_DB_NAME = "emottak-ebms-db"
 
@@ -33,10 +33,9 @@ fun VaultConfig.configure(role: String): HikariConfig {
         this.maximumPoolSize = maxPoolSizeForUser
         if (role == "admin") {
             this.maximumPoolSize = maxPoolSizeForAdmin
-            val vault = VaultUtil.getInstance().client
             val path: String = this@configure.vaultMountPath + "/creds/$databaseName-$role"
             log.info("Fetching database credentials for role admin")
-            val response: LogicalResponse = vault.logical().read(path)
+            val response: LogicalResponse = VaultUtil.getClient().logical().read(path)
             this.username = response.data["username"]
             this.password = response.data["password"]
         }

ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/Dekryptering.kt

@@ -3,9 +3,9 @@ package no.nav.emottak.payload.crypto
 import no.nav.emottak.crypto.FileKeyStoreConfig
 import no.nav.emottak.crypto.KeyStoreManager
 import no.nav.emottak.crypto.VaultKeyStoreConfig
-import no.nav.emottak.crypto.parseVaultJsonObject
 import no.nav.emottak.util.decodeBase64
 import no.nav.emottak.utils.environment.getEnvVar
+import no.nav.emottak.utils.vault.parseVaultJsonObject
 import org.bouncycastle.asn1.x500.X500Name
 import org.bouncycastle.cms.CMSEnvelopedData
 import org.bouncycastle.cms.KeyTransRecipientId

ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/PayloadSignering.kt

@@ -3,11 +3,11 @@ package no.nav.emottak.payload.crypto
 import no.nav.emottak.crypto.FileKeyStoreConfig
 import no.nav.emottak.crypto.KeyStoreManager
 import no.nav.emottak.crypto.VaultKeyStoreConfig
-import no.nav.emottak.crypto.parseVaultJsonObject
 import no.nav.emottak.message.model.SignatureDetails
 import no.nav.emottak.util.createX509Certificate
 import no.nav.emottak.util.signatur.SignatureException
 import no.nav.emottak.utils.environment.getEnvVar
+import no.nav.emottak.utils.vault.parseVaultJsonObject
 import org.w3c.dom.Document
 import java.io.FileReader
 import java.security.Key

ebms-payload/src/main/kotlin/no/nav/emottak/payload/ocspstatus/OCSPConfig.kt

@@ -1,8 +1,8 @@
 package no.nav.emottak.payload.ocspstatus
 
 import no.nav.emottak.crypto.FileKeyStoreConfig
-import no.nav.emottak.crypto.parseVaultJsonObject
 import no.nav.emottak.utils.environment.getEnvVar
+import no.nav.emottak.utils.vault.parseVaultJsonObject
 import java.io.FileReader
 
 internal fun trustStoreConfig() = FileKeyStoreConfig(

ebms-provider/src/main/kotlin/no/nav/emottak/ebms/xml/EbMSSigning.kt

@@ -4,7 +4,6 @@ import jakarta.xml.soap.SOAPConstants
 import no.nav.emottak.crypto.FileKeyStoreConfig
 import no.nav.emottak.crypto.KeyStoreManager
 import no.nav.emottak.crypto.VaultKeyStoreConfig
-import no.nav.emottak.crypto.parseVaultJsonObject
 import no.nav.emottak.ebms.validation.CID_PREFIX
 import no.nav.emottak.ebms.validation.EbMSAttachmentResolver
 import no.nav.emottak.message.model.EbMSDocument
@@ -14,6 +13,7 @@ import no.nav.emottak.util.createX509Certificate
 import no.nav.emottak.util.getFirstChildElement
 import no.nav.emottak.util.signatur.SignatureException
 import no.nav.emottak.utils.environment.getEnvVar
+import no.nav.emottak.utils.vault.parseVaultJsonObject
 import org.apache.xml.security.exceptions.XMLSecurityException
 import org.apache.xml.security.signature.XMLSignature
 import org.apache.xml.security.transforms.Transforms

felles/build.gradle.kts

@@ -32,15 +32,13 @@ dependencies {
     implementation(libs.ebxml.protokoll)
     implementation(libs.emottak.payload.xsd)
     implementation(libs.guava)
-    implementation(libs.hikari)
     api("dev.reformator.stacktracedecoroutinator:stacktrace-decoroutinator-jvm:2.3.8")
     implementation(libs.flyway.core)
     implementation(libs.ktor.serialization.kotlinx.json)
     implementation(libs.apache.santuario)
     implementation(libs.bundles.logging)
     implementation(libs.ktor.client.core)
     implementation(libs.ktor.client.cio)
-    implementation("com.bettercloud:vault-java-driver:5.1.0")
     api(libs.bundles.bouncycastle)
     testImplementation(testLibs.junit.jupiter.api)
     testImplementation(testLibs.junit.jupiter.engine)

felles/src/main/kotlin/no/nav/emottak/crypto/VaultKeyStoreConfig.kt

@@ -1,9 +1,7 @@
 package no.nav.emottak.crypto
 
-import kotlinx.serialization.json.Json
-import kotlinx.serialization.json.jsonObject
-import kotlinx.serialization.json.jsonPrimitive
-import no.nav.emottak.vault.VaultUtil
+import no.nav.emottak.utils.vault.VaultUtil
+import no.nav.emottak.utils.vault.parseVaultJsonObject
 import java.io.InputStream
 import kotlin.io.encoding.Base64
 import kotlin.io.encoding.ExperimentalEncodingApi
@@ -14,15 +12,12 @@ class VaultKeyStoreConfig(
     keyStoreFileResource: String,
     keyStorePassResource: String
 ) : KeyStoreConfig {
-    override val keyStoreFile: InputStream = getDecodedVaultKeyStoreFile(keyStoreVaultPath, keyStoreFileResource)
-    override val keyStorePass: CharArray = VaultUtil.readVaultPathResource(keyStoreVaultPath, keyStorePassResource).parseVaultJsonObject("password").toCharArray()
-    override val keyStoreType: String = VaultUtil.readVaultPathResource(keyStoreVaultPath, keyStorePassResource).parseVaultJsonObject("type")
+    private val keystoreVaultMap: Map<String, String> = VaultUtil.readVaultPathData(keyStoreVaultPath)
+    override val keyStoreFile: InputStream = keystoreVaultMap.getDecodedVaultKeyStoreFile(keyStoreFileResource)
+    override val keyStorePass: CharArray = keystoreVaultMap[keyStorePassResource]!!.parseVaultJsonObject("password").toCharArray()
+    override val keyStoreType: String = keystoreVaultMap[keyStorePassResource]!!.parseVaultJsonObject("type")
 
     @OptIn(ExperimentalEncodingApi::class)
-    private fun getDecodedVaultKeyStoreFile(keyStoreVaultPath: String, keyStoreFileResource: String): InputStream =
-        VaultUtil.readVaultPathResource(keyStoreVaultPath, keyStoreFileResource).byteInputStream().decodingWith(Base64.Mime)
+    private fun Map<String, String>.getDecodedVaultKeyStoreFile(keyStoreFileResource: String): InputStream =
+        this[keyStoreFileResource]!!.byteInputStream().decodingWith(Base64.Mime)
 }
-
-fun String.parseVaultJsonObject(field: String) = Json.parseToJsonElement(
-    this
-).jsonObject[field]!!.jsonPrimitive.content

felles/src/main/kotlin/no/nav/emottak/util/SertifikatUtil.kt

@@ -6,8 +6,6 @@ import java.security.cert.CertificateException
 import java.security.cert.CertificateFactory
 import java.security.cert.X509CRL
 import java.security.cert.X509Certificate
-import kotlin.io.encoding.Base64
-import kotlin.io.encoding.ExperimentalEncodingApi
 
 fun isSelfSigned(certificate: X509Certificate) =
     certificate.subjectX500Principal == certificate.issuerX500Principal
@@ -27,5 +25,4 @@ fun createCRLFile(byteArray: ByteArray): X509CRL {
     return factory.generateCRL(ByteArrayInputStream(byteArray)) as X509CRL
 }
 
-@OptIn(ExperimentalEncodingApi::class)
 fun decodeBase64(base64String: ByteArray): ByteArray = java.util.Base64.getMimeDecoder().decode(base64String)

felles/src/main/kotlin/no/nav/emottak/vault/VaultUtil.kt

@@ -21,7 +21,7 @@ dependencyResolutionManagement {
             version("hoplite", "2.8.2")
             version("logback", "1.5.17")
             version("logstash", "8.0")
-            version("emottak-utils", "0.2.0")
+            version("emottak-utils", "0.2.1")
 
             library("bcpkix-jdk18on", "org.bouncycastle", "bcpkix-jdk18on").versionRef("bouncycastle")
             library("bcprov-jdk18on", "org.bouncycastle", "bcprov-jdk18on").versionRef("bouncycastle")